By now you’ll be aware that a significant ransomware outbreak started towards the end of last week. The exploit, known as WannaCrypt or WannaCry, affected many organisations around the world.
We’ve updated the systems we manage to protect our customers and will continue to proactively manage this and other security risks. As patches are distributed, your staff may notice requests to reboot their systems. Please advise them to follow the onscreen guidance. You should also take the opportunity to remind staff not to open attachments or follow links from unknown senders or where there is cause to doubt their intent.
In relation to your systems that we do not control, we’d like to share the latest guidance on how to protect them.
To contain the propagation of this malware, you should follow these steps:
- Deploy patches that mitigate against exploit MS17-010: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
- A patch is available for legacy platforms: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks
- If it’s not possible to apply this patch, disable SMBv1 (how to: https://support.microsoft.com/en-us/help/2696547) and/or block SMBv1 ports on network devices [UDP 137, 138 and TCP 139, 445]
If these steps are not possible, propagation can be prevented by shutting down vulnerable systems.
Work done in the security research community has prevented many potential compromises. To benefit, ensure your systems can resolve and connect on TCP 80 to these domains (remove square brackets):
The malware is not proxy aware so a local DNS record may be required. This does not need to point to the internet, but can resolve to any accessible server that will accept connections on TCP 80.
Antivirus vendors are increasingly able to detect and remediate this malware. Updating your antivirus products will provide additional protection.
We trust this guidance is useful. If we can assist you further, please call 01202 299 799 and speak with David O’Neil (ext. 748) or Mark Richman (ext. 718).